Malware Deobfuscator

Auto-detection mode systematically tries multiple deobfuscation techniques and ranks results by readability and entropy scoring. Process: (1) Base64 detection - Tries standard and URL-safe Base64 decoding, (2) Hex detection - Attempts hexadecimal to ASCII conversion, (3) URL decoding - Tests percent-encoded strings, (4) ROT cipher - Tests ROT1, ROT3, ROT7, ROT13, ROT25, (5) XOR brute force - Tests all 256 single-byte XOR keys, (6) Scoring - Each result gets readability score based on English letter frequency and common words. Best match criteria: Highest score wins, visible at top with green highlight, considers printable characters and entropy levels. Use cases: Unknown malware samples, multi-encoded strings, quick triage during incident response. Limitations: Does not detect custom encodings, complex multi-byte XOR, compression (gzip, deflate), or polymorphic code. For those, use manual chaining with specific keys.

XOR brute force systematically tests all 256 possible single-byte XOR keys (0x00 to 0xFF) to decode obfuscated data. How it works: For each key byte K: (1) XOR every byte of input with K, (2) Score result based on printable character ratio, (3) Apply English frequency analysis, (4) Check for common words (script, http, function, var), (5) Rank by total score. When to use: Malware network indicators (C2 domains, IPs) often XOR-encoded with single byte, Shellcode obfuscation in exploits, Ransomware config files hiding keys/domains, CTF challenges and malware reversing puzzles. How to identify XOR encoding: Data looks random but has consistent byte distribution, Known plaintext attacks - if you know part of decoded string, Entropy not quite random. Real example: Emotet malware XORs C2 server list with 0x42, one click brute force reveals all IPs. Multi-byte XOR: For keys longer than 1 byte, auto-detection will not work.

Malware often uses multiple layers of encoding to evade detection. Chaining allows you to decode layer by layer. Process: (1) Run auto-detect or specific technique on input, (2) Click Chain button on promising result to use it as input for next step, (3) Select next technique (e.g., Base64 then XOR), (4) Repeat until readable plaintext emerges. Common chain patterns: PowerShell: Base64 to URL decode to Base64 again, JavaScript: URL decode to Base64 to eval code, Shellcode: Hex to XOR to assembly, Custom packers: Base64 to gzip to XOR to PE file. Example real-world chain: Obfuscated PowerShell downloader uses Base64 (outer layer) then XOR (middle layer) then Base64 again (inner C2 URL). Without chaining, you would miss the final payload. Chain view shows all steps with inputs and outputs so you can track your deobfuscation progress and share findings with team.

Readability score and entropy help identify successful deobfuscation automatically. Readability Score: Measures how much decoded output looks like real text. Based on English letter frequency (e, t, a, o, i most common), Common word detection (the, and, http, script, function), Printable character ratio (ASCII 32-126), Whitespace and punctuation patterns. High score (100+) indicates likely successful decode, low score (0-30) means still obfuscated or wrong key. Entropy: Measures randomness of data. Low entropy (2-4) = Repeated patterns, plain text, High entropy (7-8) = Random, compressed, or encrypted. Ideal for malware strings: entropy around 4-5 after deobfuscation. Use together: High readability + Medium entropy = Success, Low readability + High entropy = Still encrypted, High readability + Low entropy = Possible false positive (repeated chars). Example: XOR with correct key drops entropy from 7.2 to 4.8 and readability jumps from 5 to 250.

Identifying the encoding technique requires pattern recognition and statistical analysis. Visual indicators: Base64: A-Z, a-z, 0-9, +, /, = padding, length divisible by 4, often ends with = or ==. Hex: Only 0-9 and A-F characters, even length, pairs represent bytes. URL encoding: Percent signs followed by hex (%20, %3A, %2F), mixed with regular characters. ROT13/Caesar: Looks like scrambled text, letter frequency still visible, preserves case and spacing. XOR: Completely random looking, may have repeating patterns if key is short. Statistical analysis: Base64: Entropy around 6.0, 75% efficiency (3 bytes to 4 chars). Hex: Entropy around 4.0, 50% efficiency (1 byte to 2 chars). Encrypted/XOR: High entropy (7-8), appears random. Compressed: Very high entropy (7.5-8), no patterns. Quick test: Try auto-detect mode first, Check length (Base64 increases by 33%, Hex doubles), Look for padding or special chars, Consider context (PowerShell = likely Base64, Network traffic = maybe Hex).

Finding malicious code during deobfuscation requires careful handling and proper incident response. Immediate actions: (1) DO NOT execute the code - even in a VM without proper isolation. (2) Document everything: Take screenshots, save all deobfuscation steps, record timestamps, note file hashes. (3) Isolate the system: Disconnect from network if malware is active, Preserve memory and disk state, Do not shut down immediately (loses RAM evidence). (4) Analyze safely: Use dedicated malware analysis VM, Disable network or use isolated test network, Take snapshots before any execution. Security team notifications: Alert your SOC/IR team immediately, Provide IOCs: IPs, domains, file hashes, URLs, Share deobfuscation chain for their analysis. Threat intelligence: Check if already known (VirusTotal, AlienVault, MISP), Submit IOCs to sharing platforms, Document TTPs for future detection. Legal considerations: Preserve evidence for forensics, Follow data breach notification laws if applicable, Coordinate with legal team before public disclosure. Remember: This tool is for ANALYSIS only, not for creating or modifying malware.

No single tool can detect all obfuscation techniques. This tool covers common methods but has limitations. Supported techniques: Base64 encoding (standard and URL-safe), Hexadecimal encoding, URL/percent encoding, ROT-N ciphers (1-25), Single-byte XOR (brute force all 256 keys), Multi-byte XOR (if you know the key). Limitations and what we DO NOT support: (1) Compression: GZIP, Deflate, LZMA, Bzip2 - requires external tools. (2) Strong encryption: AES, RSA, 3DES - cannot be brute forced. (3) Custom algorithms: Proprietary encoding schemes unique to specific malware. (4) Polymorphic code: Self-modifying code that changes each execution. (5) Binary packers: UPX, ASPack, Themida - needs specialized unpackers. (6) Steganography: Data hidden in images, audio files. (7) Complex multi-byte XOR: Without key length detection. Recommended workflow: Start with this tool for initial triage, Use IDA Pro, Ghidra for binary analysis, Use sandbox environments (Any.run, Joe Sandbox) for dynamic analysis, Combine with YARA rules and signature detection. Think of this as first-stage triage, not complete analysis suite.

Sophisticated malware uses layered obfuscation to maximize evasion and slow down analysis. Common layering strategies: (1) Onion model: Each layer wraps the previous, Example: Base64(XOR(Hex(payload))), Must decode in reverse order applied. (2) Stage-based: Different layers for different stages, Stage 1: URL decode (initial dropper), Stage 2: Base64 (downloaded payload), Stage 3: XOR (final shellcode). (3) Mixed encoding: Combine encoding with encryption, Example: Base64(AES(payload, key)), Key itself might be XOR-encoded. Real-world examples: Emotet: Base64 outer layer, XOR middle layer for C2 list, PE file as final payload. Cobalt Strike: Hex-encoded loader, XOR-encrypted beacon config, AES-encrypted C2 traffic. PowerShell downloaders: Base64 command line flag, URL-encoded download URL inside, Base64-encoded payload from server. Defense strategy: Use auto-detect to identify outer layer, Chain deobfuscation for each layer, Document the full chain for IOC extraction, Check for patterns (same XOR key across samples). This tool makes chaining easy with the Chain button - each successful decode becomes input for next layer.